Abe, If you can't test it with the apache user then write a non-ASP.NET app doing the same (emailing) and run it under your current user.
Then use certmgr to delete all certificates (of the current user, not machine) and try again. At this step you'll be sure if (or not) the required certificates were found. Update the bug report with the above information. Thanks Sebastien On Mon, 2010-07-12 at 15:19 -0400, Abe Gillespie wrote: > Hi Sebastian, > > I ran mozroots as myself but with the -m switch to install into the > machine store. Of course I did run it with "sudo" so it's technically > owned by root:root. I don't believe it's a permissions problem > because a) this worked fine somewhere along the 2.4.x line, b) others > seem to be experiencing this as a recent regression as evidenced by > this http://bit.ly/bjxgHT, and c) I'm *pretty* sure the apache user > has the necessary rights to read the certs - ugo all have the "r" flag > set through the entire directory structure to the certs > (/usr/share/.mono/certs/*), unfortunately I couldn't verify for sure > because when I switch user from root to apache I get "This account is > currently not available.". > > -Abe > > On Mon, Jul 12, 2010 at 1:43 PM, Sebastien Pouliot > <[email protected]> wrote: > > On Sat, 2010-07-10 at 13:44 -0400, Abe Gillespie wrote: > >> sberryman, Jan, > >> > >> Thanks for the help, guys. I did try this as I've used this > >> work-around before and I *thought* it wasn't working as well. But I > >> just had another try and it worked fine. > >> > >> Now, is there a safe way to implement this work-around? > > > > Not really - otherwise there would be no gain (just pain) in verifying > > the certificate chain ;-) > > > >> I'm not much > >> of a security wonk, so what can I check in the cert to accept only > >> Google's? I see properties like Issuer, Thumbprint, and > >> GetRawCertData. > > > >> Can I use any of these to verify, or at least do > >> slightly more than "return true" for all certs? > > > > You can check the thumbprint (it's a hash) but that will stop working > > when Google updates its certificate or if it use more than one > > certificate (e.g. on different servers). > > > > Now (from the bug report) it looks like you have permission issues when > > executing code from apache (likely it can't read the certificates). See > > my comment there... > > > >> Thanks. > >> -Abe > >> > >> On Fri, Jul 9, 2010 at 10:06 PM, sberryman <[email protected]> wrote: > >> > > >> > You could always use the ServicePointManager to accept all SSL certs. > >> > Security risk but I've used it in the past when I've had problems with > >> > Mono > >> > and SSL certs. > >> > > >> > Simply add the following delegate before you send the email. > >> > > >> > ServicePointManager.ServerCertificateValidationCallback = delegate(object > >> > sender, System.Security.Cryptography.X509Certificates.X509Certificate > >> > certificate, System.Security.Cryptography.X509Certificates.X509Chain > >> > chain, > >> > System.Net.Security.SslPolicyErrors sslPolicyErrors) > >> > { > >> > return true; > >> > }; > >> > > >> > -- > >> > View this message in context: > >> > http://mono.1490590.n4.nabble.com/Preview-2-6-6-tp2279971p2284277.html > >> > Sent from the Mono - General mailing list archive at Nabble.com. > >> > _______________________________________________ > >> > Mono-list maillist - [email protected] > >> > http://lists.ximian.com/mailman/listinfo/mono-list > >> > > >> _______________________________________________ > >> Mono-list maillist - [email protected] > >> http://lists.ximian.com/mailman/listinfo/mono-list > > > > > > _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
